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666: The Devil's Read/Write Permission 

by Erica Sadun 

Terminal's command line makes it simple to set permissions for any of your OS X files. Permissions specify access control--who may read, write or execute your files. The 
chmod command takes two or more arguments, the first is a multi-digit number that specifies your control choices, the rest is a list of files affected by this change. 


The multi-digit number is created by summing up the permissions you'd like to apply. Quoting from the OS X manual pages, these numbers are as follows: 


4000: (the set-user-ID-on-execution bit) Executable files with this bit set will run with effective uid set to the uid of the file owner. Directories with the 
set-user-id bit set will force all files and sub-directories created in them to be owned by the directory owner and not by the uid of the creating process, if 
the underlying file system supports this feature: see chmod(2) and mount(8). 

2000: (the set-group-ID-on-execution bit) Executable files with this bit set will run with effective gid set to the gid of the file owner. 

1000: (the sticky bit) See chmod(2) and sticky(8). 

0400: Allow read by owner. 

0200: Allow write by owner. 

0100: For files, allow execution by owner. For directories, allow the owner to search in the directory. 

0040: Allow read by group members. 

0020: Allow write by group members. 

0010: For files, allow execution by group members. For directories, allow group members to search in the directory. 

0004: Allow read by others. 

0002: Allow write by others. 

0001: For files, allow execution by others. For directories allow others to search in the directory. 


So, to set a file's permissions to universal read, universal write you must sum up the read attributes and the write attributes for owner, group members and others: 0400 
+ 0200 + 0040 + 0020 + 0004 + 0002, which equals 0666 or more simply 666: 
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% c h mo d 6 6 6 bar 
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That's too much like work. If you want to give write access to a group, 
you have to first get the current permissions, apply the new permissions 
mask, and then run chmod. I prefer to use the "symbolic mode" instead, 
just "chmod g+w foo.txt" to do the same thing. No math, no pain - but I'm 
repeating myself now. 

For those who didn't notice, the date is also 6/6/06. ;) 


As a professional sysadmin, I don't agree with using symbolic mode. You 
set the permissions to what they should be... you don't modify them from 
what they might be. 

Steve: Excellent point. 


I'm not convinced Steve's point is excellent, at least not without 
clarification. 


With ~30 years of Unix experience, I know it's not always possible to 
accurately determine what file permissions "should" be. I sure can't 
provide that information about every single file on my own OS X 
systems even though I thoroughly understand permissions. Sometimes 
it's just a best guess with prior permissions, file type/content, and context 
as a guide. The near-half-century-old Unix permissions scheme wasn't 
designed for managing the larger numbers of files on todays filesystems. 
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It doesn't scale. 


Relative and absolute file permission changes are both valid, regardless 
of whether or not symbolic mode is used. Making only absolute numeric 
permission changes is unnecessarily restrictive and can produce 
undesirable results by toggling bit states that should be preserved (e.g. 
by naively running "chmod -R 777 ..." commands). 

Not so excellent at all. Steve suggests that symbolic mode is used to 
"modify [permissions] from what they might be", but that's absurd. 
Determining the changes that are needed is an entirely separate 
question from deciding how to make those changes. If I didn't know what 
the current perms are, what they should be, and why they need to be 
changed, I'd be a fool to change them at all, regardless of the tool I used 
to make the change. 


Similarly, once you've done your research and arrived at the conclusion 
that "/etc/foo needs to be group writable, but it's not", the *only* question 
left is how to make that change. Do you want to do the math yourself, or 
use g+w and let chmod handle the math? To put it another way, do you 
want to introduce *two* opportunities for error (typos & mathos) with 
numeric mode, or just *one* opportunity for a typo with symbolic mode? 

Sherm, with all due respect, I think you overestimate the difficulty of the 
math. It becomes pretty repetitive overtime. I know the patterns I want 
and I find it easier just to use 'em directly. 

Erica, I said that numeric mode introduces an additional opportunity for 
math errors, which symbolic mode avoids by eliminating the math. How 
is "not zero > zero" an overestimation? And how does the fact that *you* 
or *1* can do octal math while asleep have any relevance to the readers 
in the audience who are not similarly gifted? 

I'm starting to see any interesting pattern with Erica's posts. It goes like 
this: 


* Erica posts to the blog 

* 0 or more people agree with her 

* 1 or more people disagree with her and give an alternative (and/or 
superior) solution 

* Erica defends blog post without really acknowledging the weaknesses 
found therein. 


Nothin' but love, Erica. :) 

Grant, it is permissible and appropriate to disagree politely in a public 
forum. When technical arguments turn into ad hominem attacks, I will 
remove myself from the conversation. This is what happened during our 
previous discussion, and this is what I will do now. I look forward to your 
future on-topic responses and thank you in advance for your technical 
insights. 

Determining the changes that are needed is an entirely separate 
question from deciding how to make those changes. 


That was my objection to Steve's comment, expressed more clearly and 
succinctly. 

Dumb reason for not using symbolic mode. You can set them perfectly 
well with chmod u=rw,g=rw,o=r if you want. 


Also important to point out that those are octal numbers. 

Grant, it is permissible and appropriate to disagree politely in a public 
forum. When technical arguments turn into ad hominem attacks, I will 
remove myself from the conversation. This is what happened during our 
previous discussion, and this is what I will do now. I look forward to your 
future on-topic responses and thank you in advance for your technical 
insights. 


1) What I posted was not an attack, merely an observation. And a 
somewhat humourous one, at that. Notice the use of the smiley face at 
the end. 


2) In our previous discussion, I did not attack you, merely your idea that 
you stubbornly clung to despite numerous responses to the contrary. I 
was very direct, and attacked many of the points with which you chose to 
defend your idea, but I did not attack you or your character or anything 
else that I could see as a valid type of "ad hominem" attack. Ironically, 
accusing someone else of an "ad hominem" attack can itself be an "ad 
hominem" attack. 

As far as the comments that have been made, both styles of chmod have 
their place. 
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If I know the exact permissions that I want a file to have, I would use the 
"numeric" mode 


Otherwise, I would use the symbolic mode, as it makes it very easy to 
"add" permissions that are needed or "remove" permissions that are not 
needed. Numeric mode can sometimes have un-inteded consequences. 
But, to each his/her own, I suppose. 
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Also, since we are throwing fun "logical fallacy" terms around, Steve's 
argument is basically an "appeal to authority" argument. Read about it at 
Wikipedia. Of course, sending you to Wikipedia is, in and of itself, an 
"appeal to authority". Perhaps we should get off the logical merry- 
go-round. :) 

To be clear, I regularly use both modes. I use symbolic for when I'm 
doing batch changes and I use numeric on file-by-file bases. 
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